A set of 9 vulnerabilities, collectively known as ‘PixieFail,’ impression the IPv6 community protocol stack of Tianocore’s EDK II, the open-source reference implementation of the UEFI specification extensively utilized in enterprise computer systems and servers.

The failings are current within the PXE community boot course of, which is essential for provisioning working programs in knowledge facilities and high-performance computing environments, and a regular process for loading OS photographs from the community at boot.

The PixieFail flaws have been found by Quarkslab researchers and have already been disclosed to impacted distributors through a coordinated effort by CERT/CC and CERT-FR.

PixieFail particulars

The PixieFail vulnerabilities come up from the implementation of IPv6 within the Preboot Execution Surroundings (PXE), a part of the UEFI spec.

PXE permits community booting, and its IPv6 implementation introduces extra protocols, rising the assault floor.

PixieFail assaults encompass 9 flaws that may be exploited regionally on a community to trigger denial of service (DoS), data disclosure, distant code execution (RCE), DNS cache poisoning, and community session hijacking.

Under is a abstract of the 9 PixieFail flaws:

• CVE-2023-45229: Improper dealing with of IA_NA/IA_TA choices in DHCPv6 Promote messages, resulting in an integer underflow and potential reminiscence corruption.
• CVE-2023-45230: Problematic dealing with of lengthy Server ID choices in DHCPv6, permitting for buffer overflow and doubtlessly resulting in distant code execution or system crashes.
• CVE-2023-45231: Problematic dealing with of truncated choices in Neighbor Discovery (ND) Redirect messages, resulting in out-of-bounds learn.
• CVE-2023-45232: Flaw within the IPv6 Vacation spot Choices header parsing, the place unknown choices can set off an infinite loop, inflicting a denial of service.
• CVE-2023-45233: Infinite loop challenge in parsing the PadN possibility within the IPv6 Vacation spot Choices header.
• CVE-2023-45234: Buffer overflow downside when dealing with the DNS Servers possibility in a DHCPv6 Promote message.
• CVE-2023-45235: Vulnerability in dealing with the Server ID possibility from a DHCPv6 proxy Promote message, resulting in a buffer overflow.
• CVE-2023-45236: The TCP stack in EDK II generates predictable Preliminary Sequence Numbers, making it prone to TCP session hijacking assaults.
• CVE-2023-45237: Use of a weak pseudo-random quantity generator within the community stack, doubtlessly facilitating numerous community assaults.

Of the above, essentially the most extreme are CVE-2023-45230 and CVE-2023-45235, which permit attackers to carry out distant code execution, presumably main to finish system compromise.

Quarkslab has launched proof-of-concept (PoC) exploits that enable admins to detect susceptible units on their community.

Widespread impression

The PixieFail vulnerabilities impression Tianocore’s EDK II UEFI implementation and different distributors utilizing its NetworkPkg module, together with main tech firms and BIOS suppliers.

Based on Quarkslab, this contains Arm Ltd., Insyde Software program, American Megatrends Inc. (AMI), Phoenix Applied sciences Inc., and Microsoft Company. CERT/CC’s safety advisory additionally states that Intel is impacted.

Though the EDK2 bundle is included in ChromeOS’s supply code tree, Google has specified that it isn’t utilized in manufacturing Chromebooks and is not impacted by the PixieFail flaws.

The preliminary disclosure to CERT/CC occurred on August 3, 2023, and the disclosure deadline was set to November 2, 2023, proper on the 90-day mark.

Attributable to complexities in fixing the problems confronted by a number of distributors, CERT/CC moved the disclosure date quite a few occasions, initially December 1, 2023, after which later to January 16, 2024.

Nonetheless, some requested for a bigger postponement, with Microsoft requesting the goal date to be moved to Might 2024.

At the moment, most vendor patches are in a testing/non-validated state, and Tianocore has supplied fixes for the primary seven vulnerabilities.